Update: The hits keep coming at ride-sharing giant Uber.
Earlier today, the city of Los Angeles sued Uber Technologies, alleging the company broke California laws requiring companies to report data breaches to the public as soon as they are discovered or as soon as possible. It was late November when the ride-hailing entity acknowledged that not only had the confidential information of 57 million customers and 600,000 drivers nationwide been stolen in 2016, but that the company paid the hackers $100,000 to destroy the data.
The civil penalties owed to Los Angeles could reach a maximum of $2,500 per violation for each of the two state laws Uber is alleged to have violated. Proceeds from the penalties would be shared by the city and county.
Meanwhile, more of the players involved in the cyberattack debacle are out of work as three managers from the company’s security department resigned over the weekend. Among them is the man who was chief of staff for Joe Sullivan, who, until he was fired for his role in the breach last week, was Uber’s chief security officer. A fourth employee, who is Uber’s head of Global Threat Operations, began a three-month medical leave over the weekend, as well.
It was not Uber that revealed that the personal information of 57 million of its customers and 600,000 of its drivers had been stolen in 2016. In fact, it was Bloomberg, who, on November 21, 2017 published an article alerting the world of the massive breach.
The Bloomberg piece did more than reveal the cyberattack. It also reported that Uber paid the hackers $100,000 to delete the stolen information and remain quiet about it. Later that day, Uber CEO Dara Khosrowshahi confirmed the breach in a blog post on the company’s web site. No mention was made of the payment made to buy the hacker’s silence.
According to Todd Friedland, a commercial litigation attorney with StephensFriedland LLC in Orange County, California, the Uber scenario ventures into uncharted waters. It is one thing for a multi-national business to be hacked as such occurrences are becoming more commonplace. It is far different, however, for the company not only to hide the breach from the public, its customers and investors but even more nefarious to pay the attackers to destroy the information they allegedly stole, says Friedland, president of the Orange County Bar Association in 2016.
“Uber may be treading on new ground because they paid the ransom. The cover-up may end up being worse than the crime because of the length of time that passed between the breach and its disclosure,” says Friedland.
While Khosrowshahi’s message noted Uber would provide credit protection for any drivers whose confidential information was compromised, the company has not offered the same to customers impacted by the cyberattack. Uber did not respond to repeated requests for a response for this story.
New revelations stemming from Uber’s cover-up have been an almost daily reality for the embattled company since the debacle was revealed. November 28 brought news that Uber lost nearly $1.5 million in the Third Quarter, up from the $1.1 billion loss it sustained in the Second Quarter.
On November 26, Reuters reported Mexican authorities intend to ask Uber officials to provide details about the consequences Mexicans could suffer due to the massive breach.
According to a November 23 article in The Wall Street Journal, Uber’s CEO learned of the breach September 5, approximately two weeks after he assumed his new position with the company. He has been quoted as saying he immediately ordered an in-house investigation into the incident.
November 22 brought news of the ouster of Uber’s In-House Counsel and his direct supervisor, who was also Uber’s chief security officer, due to their roles in the covert operation and payment of ransom.
Friedland says Uber’s behavior communicates a total disconnect from the very people who keep it in business as it shifts the responsibility for researching and correcting any credit problems or identify theft issues arising from the breach to their customers, he says.
As if all of this turmoil is not enough, Friedland predicts Uber will be subject to an unprecedented amount of litigation stemming from its behavior. For example, the company could be sued for violating its duty to protect the confidential information of its customers and drivers under federal law.
Meanwhile, on the state level, Uber could be sued by customers or drivers residing in states considered to be plaintiff-friendly, such as California, Hawaii and Massachusetts. Friedland says states with consumer-friendly laws, like those three, “have more advanced disclosure requirements so when a company is hacked and consumer information is compromised, they are required to notify potential victims so they can protect themselves.”
The third litigation battleground Uber is likely to face will consist of the victims of the breach and subsequent cover-up. He predicts a number of class action lawsuits will ensue following Uber’s behavior.
News of Uber’s huge financial losses only compounds the company’s problems, says Friedland. “They can’t continue to lose money and then add legal problems” on top of that and hope to remain viable, he says.
While the breach and subsequent cover-up will lead to at least three arenas of legal headaches for Uber, a fourth battlefront dogging the company isn’t a new one.
“Uber’s mindset is one of entitlement and that they can get away with anything,” says Dr. Joyce Knudsen, a Nashville-based business expert who counsels people how to present themselves to make the best possible personal and professional impressions.
Uber’s handling of the breach is a demonstration in failure, she says. For example, it was terribly unethical for the company not to reveal the hack as soon as it learned of it, says Knudsen.
“In order to regain trust, which is almost impossible, [Uber] should have explained to the public what went wrong and what they will do to prevent it” from recurring, she says.
Knudsen herself has not and will not hire an Uber. “I don’t think it’s safe,” she says.
A former Uber driver and current ride-share customer concurs with Knudsen’s concerns about customer safety in an Uber.
John R. Peragine, a ghostwriter and author in Davenport, Iowa, says when he was an Uber driver during the summer of 2017, he never once spoke with a live person connected with Uber. Despite statements on Uber’s web site requiring documentation regarding a vehicle’s safety record to be uploaded before a person is hired to be a driver, he says he was never prevented from driving despite not providing the information. He was not subject to a background check, either.
Other ride-share companies, such as Lyft, require applicants for driving positions to undergo a background check.
Peragine says that despite the breach he would still hire a ride-share if he needed one. If the only choice is Uber, he might still take it, depending on the situation.
The fallout from the Uber debacle will be a fascinating one, says Friedland.
“The Uber matter will be watched closely by the legal community because of the unique twists and the fact the company is already suffering a PR nightmare,” says Friedland.